A. Field of the Invention
This invention relates to the field of telecommunications and more particularly to the control of encryption and compression of data by network elements.
B. Description of Related Art
Data compression is a known technique for reducing the size of a file or the size (i.e., length) of a data stream. Data compression is achieved by eliminating unnecessary information, such as redundant data, and by substituting symbols to represent repeated data patterns. Data compression therefore allows a data stream to transmitted with fewer symbols, and thus faster, over a communications link with a given, finite bandwidth.
Encryption is technique for transforming data into an unreadable form, such as by hiding the repetition of data patterns, to reduce the likelihood of an outsider deducing the contents of a data stream. Encryption promotes privacy and security of data transfer, particularly when public or otherwise unsecure networks are used as a transmission medium.
Telecommunications equipment typically have the capability of performing both data compression and encryption. Generally speaking, it is important for a data stream to be compressed prior to being encrypted. If data is encrypted prior to being compressed, the compression will not be as effective because the repetition of bit patterns will no longer exist in the encrypted stream that is fed into the data compression mechanism.
Compression and encryption can be performed in the modules that implement the protocols at different layers or levels in the OSI reference model. For example, the Point-to-Point Protocol (PPP) includes data compression and encryption features that can be applied to the data stream by a PPP software module or stack. In addition, encryption and data compression are features that can be implemented in higher level Internet Protocol (IP) software modules or stacks.
The endpoints of the compression and encryption sessions are the entities that are burdened with these increased processing requirements. The remote terminal, e.g., in a wireless communications scenario, a portable wireless communications device, is always burdened with compression and encryption processing tasks, and this is virtually unavoidable since compression and encryption are considered vital for secure and efficient data transfer over a radio link. The other burdened element is the network element or entity that terminates the PPP link (if encryption and compression at the PPP level is performed) and the network element or entity that terminates an IP session. Encryption and compression, at either the PPP or the IP level, requires considerably more CPU processing power on a per-packet basis than standard routing operations, and in many situations can be a significant processing load on the network entities.
When two different network entities process protocols at different layers, and when such layers offer both compression and encryption features, a problem arises as to how to control and coordinate the implementation of such compression and encryption between the two network entities. Ideally compression and encryption should be performed only once, and in that order, to avoid unnecessary consumption of processing power in the network entities. The present invention addresses this problem and provides for methods for two different network entities to coordinate which one will implement a data compression algorithm and which will implement an encryption algorithm.
The present invention will be described herein in the context of a wireless networking example in which the two network entities consist of a foreign agent and a home agent (see RFC 2002 for further details). The foreign agent in this example is a network access server. The home agent is a router. It will be appreciated that the invention can be implemented with other types of network entities and in other network environments.
The present invention provides for methods for controlling the compression or encryption of data exchanged between two different network entities and a remote communications device. The two different network entities comprise a first network entity (such as a home agent) and a second network entity (such as a foreign agent). In a representative embodiment, the first network entity will generally be suited to process encryption or compression at one level or layer (e.g., at the IP layer), and the second network entity will be suited to process the encryption or compression at a second, different layer or level, such as at the PPP layer. Thus, both network entities have a central processing unit capable of performing at least one data compression algorithm on the data and one encryption algorithm on the data.
The method includes the step of sending a message from the first network entity to the second network entity instructing the second network entity to either negotiate, or not negotiate, a data compression protocol and/or encryption protocol with the communications device. For example, the home agent may instruct the foreign agent to negotiate a PPP level compression protocol with the communications device if it has not already been done. Alternatively, the home agent may instruct the foreign agent to disable PPP compression, i.e., tear down any existing PPP level data compression session with the communications device. Similarly, the home agent may instruct the foreign agent to enable or disable PPP encryption protocols.
In the event that the second network entity is instructed to not negotiate a data compression and/or encryption protocol with the communications device, then data compression and/or encryption is performed by the first network entity. For example, if the home agent instructs the foreign agent to not negotiate PPP layer data compression, then the home agent implements IP layer data compression. As another example, if the home agent instructs the foreign agent to not negotiate PPP layer encryption, then the home agent implements an IP layer encryption algorithm.
In the event that the second network entity is instructed to negotiate a data compression and/or encryption protocol with the communications device, then the second network entity implements a data compression and/or encryption on the data per the instructions. This allows the first network entity to not implement a data compression algorithm or encryption algorithm, whereby data compression or encryption are performed only once under the supervision of the first network entity. The result is that processing power is conserved in the network entity that is relieved of implementing the data compression or encryption algorithm on the data.
In additional to these instructions, the first network entity (e.g., the home agent) can also supply a message to the second network entity (e.g., the foreign agent) telling the second network entity whether the first network entity is enabling or disabling encryption or compression features at a given layer in the OSI reference model, such as the IP layer. This information can be used as a reason indicator or code supplied to the communications device explaining why a lower level encryption or compression protocol negotiation was rejected.
The format or method by which the encryption and compression instruction message is given from the first network entity to the second entity can take many forms. In the wireless network access example of FIG. 1, the message can be appended to a registration reply message sent from the home agent to the foreign agent in response to a registration request message from the foreign agent.
Further, the nature of the communications device in which the invention can be used is not important. In the representative wireless networking example, the communications device can be any mobile wireless communications device.
In one possible embodiment, the second network entity sends a message to the first network entity indicating whether the second network entity is willing to abide by instructions from the first network entity, i.e., whether it is willing to negotiate compression and/or encryption protocols at a given layer (e.g., at the PPP layer). Typically, this message will be given to the first network entity before it sends its instruction message to the second network entity. This allows the second network entity to indicate it is experiencing a high CPU load or otherwise is unwilling to negotiate the compression and encryption protocols. Furthermore, a manifestation of unwillingness to negotiate encryption and, compression protocols at a given level by the second network entity will usually indicate that they must be performed by the first network entity.